Physical Memory Analysis with the LiME Linux Memory Extractor

The LiME Loadable Kernel Module allows digital investigators to perform physical memory analysis on Linux and Linux-based devices such as Android smartphones. LiME could capture currently running and previously terminated apps, for example, and the IP addresses of other devices to which it has connected. In this Linux.com interview, Joe Sylve, a Senior Security Researcher at Digital Forensics Solutions, explains what LiME is and how it works.

Linux.com: What is LiME and what's the background behind its release?

Joe Sylve: LiME (or Linux Memory Extractor) is a tool that allows the capture of volatile memory (RAM) from a running Linux device. It is the first tool of its type that also supports memory capture from Android devices. Forensics memory analysis is vital to investigations as volatile memory contains a wealth of information that is otherwise unrecoverable. Lack of such information can make certain investigative scenarios impossible, such as when performing incident response or analyzing advanced malware that does not interact with non-volatile storage.

In 2011, I was doing some research on the feasibility of using Android devices to access classified information in a forensically secure manner. The Department of Defense currently does not allow employees to access sensitive data from their mobile devices for fear that if the devices were lost or stolen sensitive data could be recovered from them. The first phase of this research was to perform a detailed forensic analysis of selected mobile devices to determine what data is stored on the device by common use cases. This included data that could be recovered from the device's RAM using "live" analysis.

The standard methodology for obtaining a capture of a device's RAM has been to use a tool such as Ivan Kolar's fmem. Attempts to port fmem to Android failed, because of several technical limitations, so that's why I developed LiME (then known as DMD). After testing it, we found that LiME actually worked better than fmem at creating a forensically sound capture on Linux devices.

Linux.com: LiME is intended to be used to capture evidence that can be relevant in criminal and civil investigations, but what prevents anyone from using LiME to invade someone's privacy?

Joe Sylve: By its very nature, computer forensics research is a double-edged sword. Any tool that can be useful for forensics in a criminal investigation has the potential to impact a user's privacy when abused; however, in order to use LiME, an investigator needs to have physical access to the device and the tool needs to be custom compiled to work for the specific running kernel on the device, so the chances that the tool could be used to invade someone's privacy without their knowledge are limited.

Linux.com: What's next for the project? Any additional features or fixes in the works?

Joe Sylve: LiME is a Loadable Kernel Module, which means for it to work it has to be specifically compiled to work on the kernel version that the device is running. It would be nice if there was a community effort to help compile LiME against as many kernel versions as possible, so that investigators and researchers could have access to a library of pre-compiled modules for the kernel versions running on the most commonly used devices.